Red Hat Bugzilla – Bug 74902
The kernel symbol "sys_call_table" omitted from ksyms
Last modified: 2007-04-18 12:47:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461;
Q312461; .NET CLR 1.0.3705)
Description of problem:
the kernel symbol sys_call_table is omitted from ksyms. I have found no other
bug report or explaination of why this deviation from kernel.org source has
occured. This interface is needed by products that use certain loadable
Version-Release number of selected component (if applicable):
Steps to Reproduce:
just look at the kernel symbol table and you will see that the
symbol "sys_call_table" is missing.
kernel modules never have been allowed to modify system calls, so they only can
call system calls this way. (yes I know some rootkits did it anyway)
And for calling system calls: all system calls are exported functions to
modules, so this cannot be a problem..
That is not true. They are allowed to - in the current kernel.org
tree as well as in previous (7.x) RH kernel lines.
This breaks LiS, for example, which exports STREAMS msging calls.
So, this is a deviation from stock kernel source, both present and
future. Red Hat should fix this with a patch release immediately.
Unless this is fixed, we have little choice but to announce to our users that
Red Hat 8.0 has broken kernels and will not support LiS STREAMS. (All other
distributions will support LiS STREAMS except RedHat 8.0.) We will have little
choice by to exclude Red Hat 8.0 and only Red Had 8.0 from our supported
Please respond immediately as I may be releasing the information concerning Red
Hat's lack of support for LiS STREAMS to our entire user base shortly.
Oter vendors like Ulticom use LiS in there applications for Telco industry TEMs
and NEPS. Is RH AS not going to support that industry anymore? Most of
the "portable" Telco apps on UNIX could port to Linux with LiS, without LiS,
the impact to the industry would be tragic. Oh well, I guess there is always
The following two system calls, from line 195 of asm-i386/unistd.h in kernel
version 2.5.38, are implemented by LiS. LiS is a loadable module.
#define __NR_getpmsg 188
#define __NR_putpmsg 189
So it is not correct to say that loadable modules do not implement system
calls. LiS has been implementing these calls for years.
Also, from line 521 of kernel/ksyms.c in 2.5.38 is the following:
Red Hat needs to bring its kernel DKI into compliance with the standard
kernels. The existence of this symbol in the 2.5 source shows that the kernel
developers intend to keep this symbol visible to modules.
If you want to remove the symbol, then cook up a patch for a registration
routine and get the kernel developers to put it into the stock kernel. LiS
will gladly use it.
This also makes it impossible to use the XTI library with the RH 8.0 kernel,
since this depends on LiS.
XTI is part of XNS, and thus required for Unix98 certification.
With this symbol removed, it will be impossible to get RH 8.0 anywhere near
Unix98 functionality, since several dozen Unix98-required library calls will
Also, while removing this symbol may may it harder for a rootkit to alter
syscalls, this is no real security enhancement: It is still possible to
find the address of the syscall table. I am not going to tell you how in
public - please ask your kernel security experts about this.
But if you insist on not publishing this symbol, one of the kernel modules
that no longer work might eventually include code to find the call table. If
such a module is open source, the rootkit hackers have been served a workaround
for your "security enhancement".
Those two symbols (putmsg and getmsg) are also required by the ABI suite for
iBCS which is a loadable module. Linux loses its iBCS compatabiility if the
system call table can not be located and writable.
It is trivial for a rootkit to find the system call table. The exported
sys_close symbol can be used to scan lower memory for the table and index back 6
longs, or, it is possible to scan for the correct pattern of identical
sys_ni_syscall pointers, or even scan for the correct pattern of pointer
offsets. If security was the purpose, bear in mind that a system which presumes
the stupidity of the crook is never secure--particularly when source code is
Face it: it was a bad idea.
Please re-export the symbol so that legitimate uses of the system call table do
not have to go to these architecture-dependent extents to locate the call table.
I was willing to work with the LiS people to actually fix LiS to do the right
thing (and to explain why the export is removed) but this is a great way to make
me loose interest.
We have presented a number of reasons for why the removal of sys_call_table is
both a bad idea and ineffective to its stated purpose.
So why is it that the best that you can come up with is an insult?
If you have an approved method for LiS to hook its system calls while remaining
a loadable driver, why don't you share the information with us?
I also want to register my objection, and I hope to speak for the entire LiS
community, to the absolute arrogance on the part of Red Hat to mark the status
of this report as CLOSED while active dialog is going on.
Just who do you think you are that you can unilaterally make changes to
standard kernel source in such a manner as to render the kernel non-compliant
with UNIX98 and break any number of existing drivers? Whatever happened to the
concept of the Bazaar? This is more like the Bizarre. Or maybe Kafka.
I understand that this may not be the most interesting topic, and statements
like "write a flame comment" don't exactly encourage collaboration, but the
reason so many people are upset is that "we" (LiS, telco developers, and
others) want our products to run on a stock RedHat Linux distribution, as well
as other distributions. We DO NOT want to exclude the stock RedHat
distribution from our future releases compatibility lists. I appologize for
the "flame bugzilla.redhat.com" comment posted and request that at a minimum,
someone from RedHat please explain the reasoning behind these changes and if
possible, work with LiS and other developers so that "we" can continue to
maintain stock RedHat Linux compatibility. "We" all want this to work, each
for our own reasons.
I will keep the Bug state as "Closed Won't fix", but make a final request that
either within this bug's comments or on RedHat's developer network
(http://redhat.com/devnet/), someone within RedHat post more information,
create a developer discussion forum and work with LiS and any other project
that runs into these problems introduced by the kernel symbols that have been
removed/omitted in a stock redhat kernel.
Thank You for your time,
Shanan: I am glad one of you is prepared to apologise for the
appalling childishness displayed by the link Arjan posted.
In your particular circumstance, probably a better solution
is to provide a simple permanent -ENOSYS hook patch to the mainline
kernel. This allows you to provide system calls correctly, without
the horrible ugliness and danger of sys_call_table hacks.
There are already spaces reserved in entry.S for your system calls.
The canonical example: sys_nfsservctl
Arjan: I suggest simply ignoring firstname.lastname@example.org and others
"demanding" things from Red Hat in favour
of people who are prepared to act in an adult manner.
the "mainline" stable kernel exports sys_call_table, so no patch is required
to the official 2.4 kernels
nfsd module can be unloaded with clients present, LiS does not need to
be unloaded so sys_nfsservc is not completely applicable.
There is a second problem with the example of nfsservctl. As far as I can tell,
this method won't work for LiS.
sys_nfsservctl gets itself into the kernel by having the user configure it in
with menuconfig. If it isn't desired, sys_nfsservctl is #defined to be
sys_ni_syscall. NFS doesn't have to put itself into the table defined in
entry.S because it is already there at compile time.
The LiS entry points are not already there at compile time, and I'm under the
impression that they never will be in the official kernel or in any kernels
provided by a vendor. The LiS entry points are already set to sys_ni_syscall to
This brings us back to the original problem. LiS needs to put itself into an
already compiled and running kernel, and the only way to do that is to modify
sys_call_table when it is loaded.
If there is another officially approved way to do this without recompiling the
kernel, then somebody please let us know.
Arjan: I was out yesterday - so let me apologize today
for any hurt feelings. The message linked to was addressed
to a community of LiS people, and was actually a followup
on a thread. (The thread's idea was to have everybody
whose plans are hurt by this kernel deviation to write
his reasons here so that RH knows. The ones it was addressed
to - i.e. the people from the LiS mail list - took it as
intended by presenting technical reasons against the move.)
I don't mind you guys ignoring me personally, but I don't
see how this has anything to do with complete validity (IMHO)
of the others' technical issues here. Ignore my comments
if you wish, but do answer theirs - please.
I also have an interest in seeing this missing symbols fixed in Red Hat 8. We
develope the Communications Server for Linux here in IBM and have already got
support for Red Hat 7.2, 7.3 stock and SuSE 8. We do not want to make a
statement that the Red Hat 8 is not supported. Will this problem also be
expected in the next Red Hat Advanced server release? We use the LiS Streams
code as well and we already are having alot of users migrating to Linux. This
type of problem will not be good Press for any involved. Please keep us
informed of where to find more discussions on this matter.
The syscall table is no longer visible in the 2.5 kernel either, since there is
no way to safely modify it on an SMP system.
If people want to support the 2.6 kernel, they will have to modify their
software in the exact same way they need to modify it in order to support recent
Red Hat systems based on the 2.4 kernel.
Asking Red Hat to export the syscall table again for 2.4 will not buy you
anything except some extra time, once 2.6 comes out the changes need to be made
will the IBM dude that keeps adding IBM internal things to this bug please stop
grep sys_call_table /boot/System.map
thank you for reminding us to remove this as well.
grep sys_call_table /proc/ksyms
---- Additional Comments From email@example.com 2005-07-11 15:00 EDT -------
Yes, please close this bug.